Despite Security Flaws, Internet Explorer Resists Decline and Fall

Fred Cohen, principal analyst at The Burton Group, told the E-Commerce Times that releasing a patch prematurely can cause more problems than the vulnerability itself. Indeed, the IE patch's tardiness appears to have had little effect on the browser market, according to Dennis Barr of the Larkin Group.

By Alison Diana
03/23/04 4:14 AM PT

Microsoft is still top dog in a newly invigorated brawl over the browser
space, despite some security flaws and a somewhat sluggish development
schedule.

Although alternative browsers may offer more secure portals to the Web, many IT
managers in corporate America are reluctant to move away from IE -- preferring,
instead, to gamble on Microsoft's release of Internet Explorer 6 for XP
Service Pack 2, which is slated to become available in the first half
of this year.

"I'm happy for the most part with Microsoft's current products, but I'm
waiting for them to get further along in their Trustworthy Computing work
before I can say that I'm completely happy with them," Dennis Barr, manager
of information technology at the Larkin Group, a Kansas City, Missouri-based civil engineering consulting firm, told the E-Commerce Times. "IE needs work, but they seem to be seeing that fact with the upcoming Windows XP SP2 release."

Feature Focus

"I'm hoping that some of the things [IE] lacks will begin to appear from
Microsoft," Barr added. "If that happens, I would have to re-evaluate my
opinions about IE. Specifically, those features include better isolation
of browser processes from the computer as a whole -- sandboxing, tabbed
browsing -- and the option to open a group of related sites as tabs
simultaneously, a better print preview, really good pop-up control
and a few others."

In fact, according to the Redmond, Washington-based software
company, IE 6 for XP SP2 will:

block unauthorized file downloads and pop-up windows;

prevent pop-up windows from obscuring or replacing the user interface
in Windows and IE dialog boxes;

check for signatures on downloaded executables and prompt or warn
the user;

enforce stricter matching between file type and MIME type to prevent
IE from being spoofed into running an executable that claims to be a JPEG
file;

fix all known MSRC issues;

prompt users before running code downloaded from the Internet, even
if the code was encoded in .zip format or downloaded via Messenger;

Market Leader

In the meantime, companies striving to erode IE's market share have a large target. IE
has 94.8 percent of worldwide browser market share, according to OneStat, an Amsterdam,
Netherlands-based provider of real-time Web site analytics. Breaking it down, IE 6.0 has
68.1 percent of the market, IE 5.5 takes 13.8 percent, and IE 5.0 holds 11.8 percent, the
company found.

Second-place Mozilla took just 1.8 percent of the market, according to
OneStat's most recent report, released in January, while Opera 7.0 had 0.8
percent. IE 4.0 had 0.7 percent, and Safari took 0.48 percent.

On the other hand, "at IE's peak a year and a half ago, 95 percent of visitors to Salfara's Web site used Internet Explorer," said Stephen Morley of informational Web
site Salfara.com. "Although new content has appeared on the site, its target
audience has not changed, and now fewer than 80 percent of visitors use IE.
The trend has been consistently downward."

Indeed, IE's market share, though still dominant, has slipped slightly. In July
2003, all versions of IE commanded 95.4 percent of global browser usage share,
according to OneStat. Mozilla took 1.6 percent, while Netscape Navigator 4.0
and Opera 6.0 each represented 0.6 percent of the market. But IE 6.0's portion
of the overall IE pie grew between July 2003 and January 2004: In July 2003,
that version represented 66.3 percent of the total browser use,
OneStat stated.

Executing Options

Although Larkin has almost completely standardized on IE, Barr said he personally
prefers Mozilla because of its inability to run ActiveX controls and its tabbed
browsing capabilities.

"I made a point of mentioning the inability of Mozilla to run ActiveX
controls because that, to me, is one of the ways that IE remains vulnerable
to attack," Barr said. "Despite my own preference for Mozilla, most people
don't want the downside of not being able to run ActiveX controls. So you
can see I'm caught in something of a Catch-22: The thing that I consider a
security vulnerability is viewed by most people as an operational asset."

User education and comfort with browser technology have caused some people
to look elsewhere for this type of software, Morley said. "While users of
alternative browsers have had features like tabbed browsing and automatic
pop-up blocking for years, IE users have had to rely on third-party add-ons
for these features, and they are now beginning to see what they're missing,"
he noted.

"The Internet will not wait for Microsoft to catch up -- support in
alternative browsers for emerging technologies is already advanced, and with
new versions of XHTML and CSS nearly here, people will switch browsers in
order to get the most out of the Web."

The Mozilla Factor

Like Barr, Morley said he prefers Mozilla to other browsers due to its advanced,
standards-compliant rendering engine.

"This forms the basis of a number of open-source browsers, including
Galleon, Camillo and Firefox," he said. "Firefox is Mozilla's official
next-generation Web browser and, although still in the prerelease stage, it
is already attracting the attention of the industry. Firefox 1.0 will be
released this summer for Windows, Mac and Linux, and in the coming year we should expect to see it become the most popular browser."

Although he has never used it, Barr has heard favorable comments about
Opera.

"Some of the IE supplements and enhancements I've tried include Avant
Browser for IE, Amaya from W3C and MyIE. Most of them irritated me for one
reason or another, and I had to remove them," Barr said. "The thing to consider
in alternative browsers is whether they support the Web sites that people in an
enterprise regularly access, and whether they work with applications within the enterprise."

Patching Up

Although Microsoft encountered some criticism for a perceived sluggish
response to some vulnerabilities in IE, accuracy -- not speed -- is more
important when delivering patches, some executives said.

"Security response requires a balance between time and testing, but
Microsoft will only release a security bulletin that is as well-engineered
and thoroughly tested as possible -- whether that is a day, week, month or
longer," a Microsoft spokesperson told the E-Commerce Times. "In security
response, an incomplete patch can be worse than no patch at all if it only
serves to alert malicious hackers to a new issue."

Fred Cohen, principal analyst at The Burton Group, told the E-Commerce Times
that releasing a patch prematurely can cause more problems than the vulnerability
itself.

"If the change isn't right and it causes tens of millions of systems to crash,
that's not good," he said, adding that once an enterprise has received a patch, it must
ensure the patch does not create problems for its computing environment.

"I consider it almost criminal to delay a patch if there's a demonstrated vulnerability present in a huge number of systems," he said.

"However, on
the other hand, sometimes a hastily released patch causes more problems than
it solves. Obviously, you have to get the right patch out as early as
possible and as widely distributed as possible. In the case of the general
user, I'm not sure the issue with the patch for IE was that prominent on
their radar.

"Now that patches have been released," he said, "I've been applying them as
rapidly as I can. But for the average user at home, I'm not sure there's a
real sense of urgency."